Bug#1052433: bookworm-pu: package pam/1.5.2-6+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: p...@packages.debian.org, Guido Berhoerster Control: affects -1 + src:pam [ Reason ] Before the bookworm freeze, I introduced a --disable option to pam-auth-update so you could programatically disable a pam profile. (You can also muck around in debconf and then call pam-auth-update --package, at least under some circumstances, but this is a better interface.) Unfortunately, I had a bug, and the next time pam-auth-update is run, the profile will be enabled again. The fix is trivial and is covered by a updated autopkgtest. Debian-edu says they would like this change in bookworm so they can disable ldap auth in favor of Kerberos. I think this is low risk. I have also included translation updates. [ Impact ] Debian-edu will have to work around this somehow. The new --disable option won't work in many situations. [ Tests ] Autopkgtests have been updated to confirm the fix; I confirmed the old code fails and the new code passes. I've also tested manually. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] git diff debian/1.2.5-6..HEAD diff --git a/debian/changelog b/debian/changelog index 83794f03..22c1699d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +pam (1.5.2-6+deb12u1) bookworm; urgency=medium + + * Fix pam-auth-update --disable logic error, Closes: #1039873 + * Set myself as maintainer; thanks Steve for past and future work. + * Updated Turkish Debconf translations, Thanks Atila KOÇ, Closes: #1029002 + + -- Sam Hartman Thu, 21 Sep 2023 14:55:12 -0600 + pam (1.5.2-6) unstable; urgency=medium * Update debian/copyright, Thanks Bastian Germann, Closes: #460232 diff --git a/debian/control b/debian/control index 4b685f16..9cdc3f81 100644 --- a/debian/control +++ b/debian/control @@ -1,8 +1,8 @@ Source: pam Section: libs Priority: optional -Uploaders: Sam Hartman -Maintainer: Steve Langasek +Maintainer: Sam Hartman +Uploaders: Steve Langasek Standards-Version: 4.6.0 Build-Depends: debhelper-compat (= 13), dh-exec, quilt, flex, libdb-dev, libcrypt-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any] , pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m Build-Conflicts-Indep: fop diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update index b3de86e7..ac00b1c9 100644 --- a/debian/local/pam-auth-update +++ b/debian/local/pam-auth-update @@ -162,7 +162,9 @@ push(@enabled, # Disable anything explicitly disabled @enabled = grep {!$to_disable{$_} } @enabled; # And we've seen anything we disable -delete @seen{ keys %to_disable}; +foreach my $i (keys %to_disable) { +$seen{$i} = 1; +} # an empty module set is an error, so in that case grab all the defaults if (!@enabled) { diff --git a/debian/po/tr.po b/debian/po/tr.po index 0bd9b64c..19b0c1ef 100644 --- a/debian/po/tr.po +++ b/debian/po/tr.po @@ -1,48 +1,40 @@ -# Debconf questions for the Linux-PAM package. -# Copyright (C) 2007 Steve Langasek +# Turkish translation of pam. # This file is distributed under the same license as the pam package. -# Mert Dirik , 2008. +# Mert Dirik , 2008, 2014. # msgid "" msgstr "" -"Project-Id-Version: pam 0.99.7.1-5\n" +"Project-Id-Version: pam\n" "Report-Msgid-Bugs-To: p...@packages.debian.org\n" -"POT-Creation-Date: 2021-02-26 10:32-0500\n" -"PO-Revision-Date: 2014-08-01 14:42+0200\n" -"Last-Translator: Mert Dirik \n" -"Language-Team: Debian L10n Turkish \n" +"POT-Creation-Date: 2021-03-15 18:23-0400\n" +"PO-Revision-Date: 2022-12-26 12:26+0300\n" +"Last-Translator: Atila KOÇ \n" "Language: tr\n" +"Language-Team: Debian L10n Turkish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=1; plural=0;\n" -"X-Generator: Poedit 1.5.4\n" +"X-Generator: Poedit 2.4.2\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" #. Type: string #. Description #: ../libpam0g.templates:1001 msgid "Services to restart for PAM library upgrade:" -msgstr "" -"PAM kitaplığının yükseltilmesi için yeniden başlatılacak olan hizmetler:" +msgstr "PAM kitaplığının yükseltilmesi için yeniden başlatılacak hizmetler:" #. Type: string #. Description #: ../libpam0g.templates:1001 -#, fuzzy -#| msgid "" -#| "Most services that use PAM need to be restarted to use modules built for " -#| "this new version of libpam. Please review the following space-separated " -#| "list of init.d scripts for services to be restarted now, and correct it " -#| "if needed." msgid "" "Most services that use PAM need to be restarted to use modules built for " "this new version of libpam. Please
Processed: bookworm-pu: package pam/1.5.2-6+deb12u1
Processing control commands: > affects -1 + src:pam Bug #1052433 [release.debian.org] bookworm-pu: package pam/1.5.2-6+deb12u1 Added indication that 1052433 affects src:pam -- 1052433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052433 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1
Package: release.debian.org Control: affects -1 + src:flameshot X-Debbugs-Cc: flames...@packages.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: bullseye X-Debbugs-Cc: by...@debian.org Severity: normal [ Reason ] As reported in https://bugs.debian.org/1051408 , current flameshot in Debian 11 (Bullseye) will silently upload the current captured screenshot to imgur without confirmation whenever the corresponding hotkey is pressed. This imposes a security risk of leaking sensitive information. In order to mitigate this issue, I propose to upload flameshot 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded in the source code. Users who wish to utilize the img uploading feature can fill in their own imgur token in flameshot config window to re-enable the feature. [ Impact ] If the update is not approved, users of flameshot will have their captured screenshot uploaded to imgur by default when the hotkey is pressed without prompt, which poses a security and information leaking risk to Debian 11 users using flameshot. [ Tests ] Manually tested in a Debian Bullseye VM. [ Risks ] Minimum risk as seen from debdiff. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Reset hardcoded imgur token to all zero to invalidate img uploading functionality by default. For details, please check debdiff attached. [ Other info ] Upstream takes a different fix by popping up a confirmation window whenever an image upload is to be done. The details can be found at https://github.com/flameshot-org/flameshot/releases/tag/v11.0.0 . Such solution is not applied here due to the workload in backporting all UI source code changes. Thanks, Boyuan Yang diff -Nru flameshot-0.9.0+ds1/debian/changelog flameshot-0.9.0+ds1/debian/changelog --- flameshot-0.9.0+ds1/debian/changelog 2021-07-22 18:10:19.0 -0400 +++ flameshot-0.9.0+ds1/debian/changelog 2023-09-21 13:16:48.0 -0400 @@ -1,3 +1,20 @@ +flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium + + * debian/patches/0006-Disable-default-imgur-token.patch: +Disable default imgur uploading token. +. +Flameshot before v0.10.0 does not pop up confirmation before +uploading the screenshot to imgur, which is a security risk +that may leak sensitive user information. +. +This patch strips the embedded default imgur token from the +source code to disable default image uploading. Users who need +image uploading functionality may set their own imgur token +in flameshot configuration to re-enable this functionality. +(Closes: #1051408) + + -- Boyuan Yang Thu, 21 Sep 2023 13:16:48 -0400 + flameshot (0.9.0+ds1-2) unstable; urgency=high * debian/patches/0003-Disable-automatic-update-checking-by-default.patch: diff -Nru flameshot-0.9.0+ds1/debian/NEWS.Debian flameshot-0.9.0+ds1/debian/NEWS.Debian --- flameshot-0.9.0+ds1/debian/NEWS.Debian 1969-12-31 19:00:00.0 -0500 +++ flameshot-0.9.0+ds1/debian/NEWS.Debian 2023-09-21 13:16:48.0 -0400 @@ -0,0 +1,16 @@ +flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium + + * This version disables the default imgur uploading token. +. +Flameshot before v0.10.0 does not pop up confirmation before +uploading the screenshot to imgur, which is a security risk +that may leak sensitive user information. +. +This version strips the embedded default imgur token from the +source code to disable default image uploading. Users who need +image uploading functionality may set their own imgur token +in flameshot configuration to re-enable this functionality. +. +For more information, check out https://bugs.debian.org/1051408 . + + -- Boyuan Yang Thu, 21 Sep 2023 13:16:48 -0400 diff -Nru flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch --- flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch 1969-12-31 19:00:00.0 -0500 +++ flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch 2023-09-21 13:16:39.0 -0400 @@ -0,0 +1,45 @@ +From: Boyuan Yang +Date: Thu, 21 Sep 2023 13:14:23 -0400 +Subject: Disable default imgur token + +Flameshot before v0.10.0 does not pop up confirmation before +uploading the screenshot to imgur, which is a security risk +that may leak sensitive user information. + +This patch strips the embedded default imgur token from the +source code to disable default image uploading. Users who need +image uploading functionality may set their own imgur token +to re-enable this functionality. + +Bug-Debian: https://bugs.debian.org/1051408 +--- + src/CMakeLists.txt | 2 +- + src/imgur.pri | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) +
Processed: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1
Processing control commands: > affects -1 + src:flameshot Bug #1052420 [release.debian.org] bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1 Added indication that 1052420 affects src:flameshot -- 1052420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1028489: Please pacakge 1.82, not 1.83
Hi, I maintain Ceph, and it needs version 1.82. I don't think it is compatible with version 1.83. Please do package version 1.82 in Debian, otherwise, I'll have to use the embedded (statically linked) version of libbost, which isn't ideal. Note that Ceph is a key package, because Qemu needs it, and Qemu is needed to boostrap new arch, like currently RiscV. Cheers, Thomas Goirand (zigo)